Privacy-focused browser DuckDuckGo promises to protect users who use the software on Android, iOS and macOS devices from online tracking. However, according to a security researcher, it does allow certain data to flow from third-party websites to Microsoft-owned services.
The DuckDuckGo Privacy Browser (DuckDuckGo Privacy Browser) security audit was conducted by Zack Edwards who found, contrary to his own expectations, that they do not block Meta’s Workplace domain, for example, from sending information to the Bing and LinkedIn domains. , from Microsoft.
You can capture data within the DuckDuckGo so-called private browser on a website like Facebook’s and you’ll see that DDG does NOT stop data flows to Microsoft’s Linkedin domains or their Bing advertising domains.
iOS + Android proof:
๐๐ซฅ๐ฎโ๐จ๐คกโ๏ธโ๏ธ๐ธ๐ธ๐ธ pic.twitter.com/u3Q30KIs7eโ โจ๐๐ ๐ฅ ๐๐ก๐ด๐๐ฏ๐ก๐ฐ (@thezedwards) May 23, 2022
According to Edwards’ discovery, while DuckDuckGo Privacy Browser blocks Facebook and Google trackers, it allowed Microsoft trackers to continue to function, specifically on the Workplace page, delivering user information to bing.com and linkedin.com domains for of personalized advertising.
โI tested DuckDuckGo called Private Browser for both iOS and Android, but neither version blocked data transfers to Microsoft’s LinkedIn + Bing ads while viewing the Facebook homepage[.]com,โ Edwards explained in a Twitter thread.
According to The Registera company spokesperson confirmed that the same is true for the browser version of DuckDuckGo for macOS (in beta).
Image: DuckDuckGo/Reproduction
DuckDuckGo Tries to Explain Browser Data Transfer: ‘Microsoft Search Syndication Agreement’
In response to Edwards’ tweets, DuckDuckGo CEO and founder Gabriel Weinberg confirmed that the company’s browser intentionally allows Microsoft’s third-party website crawlers due to the search syndication agreement with Redmond. Weinberg has defended the DDG’s transparency around the agreements with the Big Tech company and took the opportunity to clarify that this restriction only affects the browser and not the DuckDuckGo search engine.
according to a explanation on company website, when the user clicks on ad provided by Microsoft, he will be redirected to the advertiser’s landing page through the Microsoft Advertising platform. In this process, Microsoft Advertising will use the user agent’s full IP address and string so that it can correctly process the ad click and bill the advertiser.
Compared to other search engines, DDG says that when a user clicks on a Microsoft-provided ad that appears on DuckDuckGo, Microsoft Advertising does not associate their one-click behavior with a user profile. It also does not store or share this information other than for accounting purposes.
With respect to Microsoft’s third-party cookies โ used for tracking ads on third-party websites โ DuckDuckGo ensures that they are blocked in the company’s browsers, however, there are scripts used for tracking that are not blocked due to contractual commitments with Microsoft. .
For non-search tracker blocking (eg in our browser), we block most third-party trackers. Unfortunately our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon.
โ Gabriel Weinberg (@yegg) May 23, 2022
โFor blocking non-search trackers (for example, in our browser), we block most third-party trackers,โ Weinberg said. “Unfortunately our Microsoft search syndication agreement prevents us from doing more with Microsoft properties.” However, we have been pushing continuously and hope to do more soon.โ
“What we’re talking about here is top-down protection that most browsers don’t even try to do โ that is, blocking third-party tracking scripts before they load on third-party sites,” says Weinberg in a post on Twitter. reddit.
He adds that there is effort by DuckDuckGo to prevent this from happening and compares it to the practice of competing browsers. โUsers are still getting significantly more privacy protection with DuckDuckGo than they would with Safari, Firefox and other browsers,โ he says.
What Weinberg says is that DuckDuckGo offers better user privacy protection compared to the average browser on the market.
Still in the same post on Reddit, Weinberg tried to explain the restrictions involved without violating the contractual commitment with Microsoft, which has terms that oblige DuckDuckGo to keep them confidential.
The issue at hand is that while most of our protections, such as blocking third-party cookies, apply to Microsoft scripts on third-party websites (again, this is outside of DuckDuckGo.com, i.e. unrelated to search), we are currently contractually restricted by Microsoft to completely prevent them from uploading (the protection above and later explained in the last paragraph) to third party websites. However, we still restrict them (eg, third-party cookies are not allowed). The original example was Workplace.com loading a script from LinkedIn.com. However, we have been working and are working with Microsoft as we speak to reduce or remove this limited restriction.
Anyway, I hope this provides some useful context. Taking a step back, I know our product isn’t perfect and never will be. Nothing can provide 100% protection. And we face a lot of restrictions: platform restrictions (we can’t offer all protections on every platform for limited APIs or other restrictions), limited contractual restrictions (as in this case), break restrictions (blocking some things that totally break web experiences) , and, of course, the evolution of the arms race that we constantly work to keep ahead. That’s why we’ve always been extremely careful never to promise anonymity when browsing outside of our search engine, because, frankly, that’s not possible. We are also working on updating our app store descriptions to make this clearer. Holistically, although I believe that what we offer is the best thing there is for the average user who wants simple privacy protection without breaking things, and that’s our product vision.
with information from BleepingComputer, The Register
